Online accounting systems: Accounting for cloud security

Q: Our company is in the market for a small business accounting system, and I’ve been advised to consider a cloud-based accounting solution. However, I am reluctant to put our company data on the internet because of security concerns. What’s your opinion on this matter? Also, can you recommend some good, low-cost, cloud-based accounting systems?

A: For nearly two decades I’ve preached that cloud-based accounting (in years past we referred to cloud-based accounting as “web-based accounting” or “hosted accounting”) is usually a better option than desktop accounting systems. My reasoning is that maintaining centralized accounting data in the cloud leads to more current data for all users and also makes the system more available to your office workers, satellite offices, work-from-home employees, sales reps on the road, and even your customers (through customer portals). However, many CPAs have pushed back, worrying that it is irresponsible for a company to maintain its accounting data in the cloud—but I disagree.

Cloud-based accounting systems don’t actually store your data in a vapor mist in the sky; rather your accounting data are stored in world-class data centers with fortified concrete walls, steel doors, retina scans needed for entry, world-class firewalls, state-of-the-art anti-virus technology, continuous backups, and often a mirrored backup of the entire data center. By contrast, upon questioning, I find that many of my clients and CPE audience members who worry about the security of cloud-based accounting systems tend to maintain inferior systems with one or more of the following security vulnerabilities:

They have their accounting system file servers sitting on the floor underneath a window or in a room where the door can be easily kicked in;

They run weak or out-of-date antivirus software;

They depend on firewalls that are not fully or properly set up;

They run limited or sporadic backup procedures, if any;

They have little redundancy built in to protect against a catastrophic event, such as a fire; and

They leave their workstations up and running overnight, in which case janitors, security guards, and others can potentially access them.

On top of these security problems, desktop-based systems often do not offer superior high-speed remote access to satellite offices or remote workers. While both “on premise” and “cloud” approaches have risks, given these two scenarios, I prefer the cloud-based option because it tends to be the more secure option with better user access.

Another common point some CPAs argue against cloud-based accounting is that these systems become unavailable when the internet goes down—which is true. While I concede this point, it is worth noting that a company’s electricity usually goes out more frequently than does internet service, so neither option offers 100% up time (unless your company employs a backup generator).

The most valid argument against cloud-based accounting seems to be that it makes company financial data slightly more vulnerable to hackers and government spying programs, and while these threats are concerning, they are mitigated to a small degree as follows:

Accounting systems typically encrypt their data by default, and a separate encryption scheme is typically applied to credit card data contained therein. Therefore, hackers who target this type of data must break three layers of security: (1) the cloud’s security, (2) the accounting system’s security, and (3) the credit card security. Perhaps for this reason, hackers have not historically targeted accounting systems, though some experts suggest that some hackers are now doing so.

The potential government access to cloud-based company data does not alarm me much either because all companies end up reporting their financial data to the government anyway, through tax returns and other filing requirements.

(Caveat: Despite my tolerance for maintaining accounting system data in the cloud, I still do not recommend that you save unencrypted PDF-based tax returns, personal financial data and health records, and other sensitive client information to the cloud, because those data lack the layers of security I mentioned above.)

As for specific recommendations, listed below are 10 small-business-caliber, cloud-based accounting solutions with prices starting at less than $25 per month, listed in order of each product’s starting price:

While a full review of each product is outside the scope of this column, some of the common advantages of these 10 systems are as follows:

No upfront costs. Get started with no upfront costs; all products are either free or provide a trial period so you can get started right away.

No server costs. With cloud-based solutions, you pay nothing for the server, and you don’t need to set up complicated remote-access software; instead just log in through any device via any internet connection.

Minimal setup. Because cloud-based systems are already installed in the cloud, you are able to start working with them more quickly. Most cloud-based systems ask only a few startup questions, after which you can start entering your transactions—often within a few minutes. The old-school days of spending weeks to install servers, workstations, database software, and accounting systems are over; today’s cloud-based systems make it inexpensive and easy to automate your small organization’s accounting tasks.

Some of the disadvantages of cloud-based accounting systems are as follows:

If your internet access is slow, your accounting system will be slow.

If your internet access goes down, your accounting system will also go down.

Hackers tend to target larger reservoirs of data such as those in the cloud, rather than individual computer systems, so everyone’s collective data in the cloud may represent a higher-profile target that could lead to more hacking attacks on cloud-based data.

In the final analysis, virtually everything has risk, including cloud-based accounting. However, in my opinion, the benefits outweigh the risks, so I do recommend this platform.

(Editor’s note: Accounting firms need to know which data privacy rules and regulations apply to them based on the state(s) where they operate. Firms then need to read all service-level agreements with cloud vendors to ensure they know where data will be physically housed and whether the vendor can comply with all the relevant requirements.)

Do you have technology questions for this column? Or, after reading an answer, do you have a better solution? Send them to jofatech@aicpa.org. We regret being unable to individually answer all submitted questions.